Title: Version 5.2.3
Published: September 5, 2019

---

# Version 5.2.3

## In this article

 * [Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#installationupdate-information)
 * [Summary](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#summary)
 * [List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#list-of-files-revised)

[ Back to top](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#wp--skip-link--target)

On September 4th, 2019, [WordPress 5.2.3](https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/)
was released to the public.

## 󠀁[Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#installationupdate-information)󠁿

To download WordPress 5.2.3, update automatically from the Dashboard > Updates menu
in your site’s admin area or visit the [archive](https://wordpress.org/download/release-archive/).

For step-by-step instructions on installing and updating WordPress:

 * [Updating WordPress](https://wordpress.org/documentation/article/updating-wordpress/)

If you are new to WordPress, we recommend that you begin with the following:

 * [New To WordPress – Where to Start](https://wordpress.org/documentation/article/new_to_wordpress_-_where_to_start/)
 * [First Steps With WordPress](https://wordpress.org/documentation/article/first-steps-with-wordpress/)
   or [Upgrading WordPress Extended](https://wordpress.org/documentation/article/upgrading-wordpress-extended-instructions/)
 * [WordPress Lessons](https://wordpress.org/documentation/article/wordpress-lessons/)

## 󠀁[Summary](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#summary)󠁿

From the [WordPress 5.2.3 release post](https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/),
this maintenance and security release fixes 29 bugs, including a few security fixes.

Here are some changes of note:

 * [#38415](https://core.trac.wordpress.org/ticket/38415): New Custom Link menu 
   item has a wrong fallback label
 * [#45739](https://core.trac.wordpress.org/ticket/45739): Block Editor: $editor_styles
   bug.
 * [#45935](https://core.trac.wordpress.org/ticket/45935): A URL in do_block_editor_incompatible_meta_box
   function does not have classic-editor__forget parameter
 * [#46757](https://core.trac.wordpress.org/ticket/46757): Media Trash: The Bulk
   Media options when in the Trash shouldn’t provide two primary buttons
 * [#46758](https://core.trac.wordpress.org/ticket/46758): Media Trash: Primary 
   button(s) should be on the left
 * [#46899](https://core.trac.wordpress.org/ticket/46899): Ensure that tables generated
   by the Settings API have no semantics
 * [#47079](https://core.trac.wordpress.org/ticket/47079): Incorrect version for
   excerpt_allowed_blocks filter
 * [#47113](https://core.trac.wordpress.org/ticket/47113): Media views: dismiss 
   notice button is invisible
 * [#47145](https://core.trac.wordpress.org/ticket/47145): Feature Image dialog 
   does not follow the dialog pattern
 * [#47190](https://core.trac.wordpress.org/ticket/47190): Twenty Seventeen: Native
   audio and video embeds have no focus state.
 * [#47340](https://core.trac.wordpress.org/ticket/47340): Twenty Nineteen: Revise
   Latest Posts block styles to support post content options.
 * [#47386](https://core.trac.wordpress.org/ticket/47386): Fix headings hierarchy
   in the legacy Custom Background and Custom Header pages
 * [#47390](https://core.trac.wordpress.org/ticket/47390): Improve accessibility
   of forms elements within some “form-table” forms
 * [#47414](https://core.trac.wordpress.org/ticket/47414): Twenty Seventeen: Button
   block preview has extra spacing within button
 * [#47458](https://core.trac.wordpress.org/ticket/47458): Fix tab sequence order
   in the Media attachment browser
 * [#47489](https://core.trac.wordpress.org/ticket/47489): Emoji are substituted
   in preformatted blocks
 * [#47502](https://core.trac.wordpress.org/ticket/47502): Media modal bottom toolbar
   cuts-off content in Internet Explorer 11
 * [#47538](https://core.trac.wordpress.org/ticket/47538): Minor Verbiage Update–
   Switch ‘developer time’ for ‘a developer’
 * [#47543](https://core.trac.wordpress.org/ticket/47543): Twenty Seventeen: buttons
   don’t change color on hover and focus
 * [#47561](https://core.trac.wordpress.org/ticket/47561): Plugin: View details 
   popup layout issue
 * [#47603](https://core.trac.wordpress.org/ticket/47603): My account toggle on 
   admin bar not visible at high zoom levels
 * [#47604](https://core.trac.wordpress.org/ticket/47604): Undefined variable: locked
   in wp-admin/edit-form-blocks.php
 * [#47687](https://core.trac.wordpress.org/ticket/47687): Use alt tags for gallery
   images in editor
 * [#47688](https://core.trac.wordpress.org/ticket/47688): Color hex code in color
   picker displayed in RTL instead of LTR on RTL install (take 2)
 * [#47693](https://core.trac.wordpress.org/ticket/47693): customizer Color picker
   should get closed when click on color picker area.
 * [#47723](https://core.trac.wordpress.org/ticket/47723): Adding a custom link 
   in nav-menus.php doesn’t trim whitespace
 * [#47758](https://core.trac.wordpress.org/ticket/47758): Font sizes on installation
   screen are too small
 * [#47835](https://core.trac.wordpress.org/ticket/47835): PHP requirement always
   set to null for plugins
 * [#47888](https://core.trac.wordpress.org/ticket/47888): Adding a custom link 
   in menu via Customize doesn’t trim whitespace.

#### 󠀁[Security Fixes](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#security-fixes)󠁿

 * Props to [Simon Scannell of RIPS Technologies](https://blog.ripstech.com/authors/simon-scannell/)
   for finding and disclosing two issues. The first, a cross-site scripting (XSS)
   vulnerability found in post previews by contributors. The second was a cross-
   site scripting vulnerability in stored comments. 
 * Props to [Tim Coen](https://security-consulting.icu/blog/) for disclosing an 
   issue where validation and sanitization of a URL could lead to an open redirect.
 * Props to Anshul Jain for disclosing reflected cross-site scripting during media
   uploads.
 * Props to [Zhouyuan Yang of Fortinet’s FortiGuard Labs](https://fortiguard.com)
   who disclosed a vulnerability that for cross-site scripting (XSS) in shortcode
   previews.
 * Props to Ian Dunn of the Core Security Team for finding and disclosing a case
   where reflected cross-site scripting could be found in the dashboard.
 * Props to Soroush Dalili ([@irsdl](https://twitter.com/irsdl?lang=en)) from NCC
   Group for disclosing an issue with URL sanitization that can lead to cross-site
   scripting (XSS) attacks.
 * In addition to the above changes, we are also updating jQuery on older versions
   of WordPress. This change was [added in 5.2.1](https://core.trac.wordpress.org/ticket/47020)
   and is now being brought to older versions. 

For a full list of changes, please consult the [list of tickets on Trac](https://core.trac.wordpress.org/query?status=closed&resolution=fixed&milestone=5.2.3&group=component&col=id&col=summary&col=owner&col=type&col=priority&col=component&col=focuses&col=reporter&order=component).

Thank you to the 62 people who contributed to WordPress 5.2.3:

[Adam Silverstein](https://profiles.wordpress.org/adamsilverstein/), [Alex Concha](https://profiles.wordpress.org/xknown/),
[Alex Goller](https://profiles.wordpress.org/alpipego/), [Andrea Fercia](https://profiles.wordpress.org/afercia/),
[Andrew Duthie](https://profiles.wordpress.org/aduth/), [Andrew Ozz](https://profiles.wordpress.org/azaozz/),
[Andy Fragen](https://profiles.wordpress.org/afragen/), [Ashish Shukla](https://profiles.wordpress.org/762e5e74/),
[Aslam Shekh](https://profiles.wordpress.org/wpboss/), [backermann1978](https://profiles.wordpress.org/backermann1978/),
[Catalin Dogaru](https://profiles.wordpress.org/cdog/), [Chetan Prajapati](https://profiles.wordpress.org/chetan200891/),
[Chris Aprea](https://profiles.wordpress.org/aprea/), [Christoph Herr](https://profiles.wordpress.org/christophherr/),
[dan@micamedia.com](https://profiles.wordpress.org/danmicamediacom/), [Daniel Llewellyn](https://profiles.wordpress.org/diddledan/),
[donmhico](https://profiles.wordpress.org/donmhico/), [Ella van Durpe](https://profiles.wordpress.org/iseulde/),
[epiqueras](https://profiles.wordpress.org/epiqueras/), [Fencer04](https://profiles.wordpress.org/fencer04/),
[flaviozavan](https://profiles.wordpress.org/flaviozavan/), [Garrett Hyder](https://profiles.wordpress.org/garrett-eclipse/),
[Gary Pendergast](https://profiles.wordpress.org/pento/), [gqevu6bsiz](https://profiles.wordpress.org/gqevu6bsiz/),
[Hardik Thakkar](https://profiles.wordpress.org/thakkarhardik/), [Ian Belanger](https://profiles.wordpress.org/ianbelanger/),
[Ian Dunn](https://profiles.wordpress.org/iandunn/), [Jake Spurlock](https://profiles.wordpress.org/whyisjake/),
[Jb Audras](https://profiles.wordpress.org/audrasjb/), [Jeffrey Paul](https://profiles.wordpress.org/jeffpaul/),
[jikamens](https://profiles.wordpress.org/jikamens/), [John Blackbourn](https://profiles.wordpress.org/johnbillion/),
[Jonathan Desrosiers](https://profiles.wordpress.org/desrosj/), [Jorge Costa,](https://profiles.wordpress.org/jorgefilipecosta/)
[karlgroves](https://profiles.wordpress.org/karlgroves/), [Kjell Reigstad](https://profiles.wordpress.org/kjellr/),
[laurelfulford](https://profiles.wordpress.org/laurelfulford/), [Maje Media LLC](https://profiles.wordpress.org/majemedia/),
[Martin Spatovaliyski](https://profiles.wordpress.org/mspatovaliyski/), [Mary Baum](https://profiles.wordpress.org/marybaum/),
[Monika Rao](https://profiles.wordpress.org/monikarao/), [Mukesh Panchal](https://profiles.wordpress.org/mukesh27/),
[nayana123](https://profiles.wordpress.org/nayana123/), [Ned Zimmerman](https://profiles.wordpress.org/greatislander/),
[Nick Daugherty](https://profiles.wordpress.org/nickdaugherty/), [Nilambar Sharma](https://profiles.wordpress.org/rabmalin/),
[nmenescardi](https://profiles.wordpress.org/nmenescardi/), [Paul Vincent Beigang](https://profiles.wordpress.org/bassgang/),
[Pedro Mendonça](https://profiles.wordpress.org/pedromendonca/), [Peter Wilson](https://profiles.wordpress.org/peterwilsoncc/),
[Sergey Biryukov](https://profiles.wordpress.org/sergeybiryukov/), [Sergey Predvoditelev](https://profiles.wordpress.org/vjik/),
[Sharaz Shahid](https://profiles.wordpress.org/sharaz/), [Stanimir Stoyanov](https://profiles.wordpress.org/sstoqnov/),
[Stefano Minoia](https://profiles.wordpress.org/ryokuhi/), [Tammie Lister](https://profiles.wordpress.org/karmatosed/),
[tellthemachines](https://profiles.wordpress.org/isabel_brison/), [tmatsuur](https://profiles.wordpress.org/tmatsuur/),
[Vaishali Panchal](https://profiles.wordpress.org/vaishalipanchal/), [vortfu](https://profiles.wordpress.org/vortfu/),
[Will West](https://profiles.wordpress.org/tsewlliw/), and [yarnboy](https://profiles.wordpress.org/yarnboy/).

## 󠀁[List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-5-2-3/?output_format=md#list-of-files-revised)󠁿

    ```wp-block-preformatted
    wp-admin/css/color-picker-rtl.css
    wp-admin/css/color-picker-rtl.min.css
    wp-admin/css/color-picker.css
    wp-admin/css/color-picker.min.css
    wp-admin/css/common-rtl.css
    wp-admin/css/common-rtl.min.css
    wp-admin/css/common.css
    wp-admin/css/common.min.css
    wp-admin/css/forms-rtl.css
    wp-admin/css/forms-rtl.min.css
    wp-admin/css/forms.css
    wp-admin/css/forms.min.css
    wp-admin/css/install-rtl.css
    wp-admin/css/install-rtl.min.css
    wp-admin/css/install.css
    wp-admin/css/install.min.css
    wp-admin/css/login-rtl.css
    wp-admin/css/login-rtl.min.css
    wp-admin/css/login.css
    wp-admin/css/login.min.css
    wp-admin/includes/ajax-actions.php
    wp-admin/includes/class-wp-plugins-list-table.php
    wp-admin/includes/ms.php
    wp-admin/includes/network.php
    wp-admin/includes/plugin-install.php
    wp-admin/includes/template.php
    wp-admin/js/customize-nav-menus.js
    wp-admin/js/customize-nav-menus.min.js
    wp-admin/js/nav-menu.js
    wp-admin/js/nav-menu.min.js
    wp-admin/js/post.js
    wp-admin/js/post.min.js
    wp-admin/js/updates.js
    wp-admin/js/updates.min.js
    wp-admin/maint/repair.php
    wp-admin/network/settings.php
    wp-admin/network/site-info.php
    wp-admin/network/site-new.php
    wp-admin/network/site-settings.php
    wp-admin/network/site-users.php
    wp-admin/network/user-new.php
    wp-admin/about.php
    wp-admin/async-upload.php
    wp-admin/custom-background.php
    wp-admin/custom-header.php
    wp-admin/edit-form-blocks.php
    wp-admin/edit-form-comment.php
    wp-admin/edit-tag-form.php
    wp-admin/install.php
    wp-admin/options-discussion.php
    wp-admin/options-general.php
    wp-admin/options-media.php
    wp-admin/options-permalink.php
    wp-admin/options-reading.php
    wp-admin/options-writing.php
    wp-admin/options.php
    wp-admin/privacy.php
    wp-admin/setup-config.php
    wp-admin/user-edit.php
    wp-admin/user-new.php
    wp-content/themes/twentynineteen/sass/blocks/_blocks.scss
    wp-content/themes/twentynineteen/style-editor.css
    wp-content/themes/twentynineteen/style-editor.scss
    wp-content/themes/twentynineteen/style-rtl.css
    wp-content/themes/twentynineteen/style.css
    wp-content/themes/twentyseventeen/assets/css/colors-dark.css
    wp-content/themes/twentyseventeen/assets/css/editor-blocks.css
    wp-content/themes/twentyseventeen/inc/color-patterns.php
    wp-content/themes/twentyseventeen/style.css
    wp-includes/css/admin-bar-rtl.css
    wp-includes/css/admin-bar-rtl.min.css
    wp-includes/css/admin-bar.css
    wp-includes/css/admin-bar.min.css
    wp-includes/css/buttons-rtl.css
    wp-includes/css/buttons-rtl.min.css
    wp-includes/css/buttons.css
    wp-includes/css/buttons.min.css
    wp-includes/css/media-views-rtl.css
    wp-includes/css/media-views-rtl.min.css
    wp-includes/css/media-views.css
    wp-includes/css/media-views.min.css
    wp-includes/js/media-grid.js
    wp-includes/js/media-grid.min.js
    wp-includes/js/media-views.js
    wp-includes/js/media-views.min.js
    wp-includes/js/wp-a11y.js
    wp-includes/js/wp-a11y.min.js
    wp-includes/js/wp-sanitize.js
    wp-includes/js/wp-sanitize.min.js
    wp-includes/blocks.php
    wp-includes/formatting.php
    wp-includes/kses.php
    wp-includes/media-template.php
    wp-includes/nav-menu.php
    wp-includes/pluggable.php
    wp-includes/post-template.php
    wp-includes/script-loader.php
    wp-includes/version.php
    ```

First published

September 5, 2019

Last updated